Hi ,
I want to convert the
Input :2013-12-09 18:11:34
Input :13-12-09 18:11:34
I want a common regex to convert the above format to the below format
Output:Thu December 2013 12 18:11:34.
I tried with the regex | eval m=strptime(timestamp,"%Y-%m-%d")|eval timestamp=strftime(m,"%B %Y")|table timestamp
But it is converting only the timestamp with the format 2013-12-09 18:11:34 and not 13-12-09 18:11:34.
Try this
yoursearchhere
| eval outputTimestamp = if (match(timestamp,"\d{2}-\d{2}-\d{2} \d{2}\:\d{2}\:\d{2}"),
strptime(timestamp,"%y-%m-%d %H:%M:%S"),strptime(timestamp,"%Y-%m-%d %H:%M:%S"))
| eval outputTimestamp = strftime(outputTimestamp,"%a %b %Y %d %H:%M:%S")
| table timestamp outputTimestamp
If these are timestamps in your input, aren't they the timestamp that Splunk uses in its own timestamp recognition? I think you might be making this more complicated than it needs to be.
Try this
yoursearchhere
| eval outputTimestamp = if (match(timestamp,"\d{2}-\d{2}-\d{2} \d{2}\:\d{2}\:\d{2}"),
strptime(timestamp,"%y-%m-%d %H:%M:%S"),strptime(timestamp,"%Y-%m-%d %H:%M:%S"))
| eval outputTimestamp = strftime(outputTimestamp,"%a %b %Y %d %H:%M:%S")
| table timestamp outputTimestamp
Thanks a lot...it is working